Client DPA Veritas Int DATA PROTECTION AGREEMENT Please read this document in full, fill in your details and the details of your company at the bottom of this document and confirm you agree with the Veritas Intercontinental Data Processing Agreement (DPA). For any questions in relation to this DPA, please email dpo@veritasint.com This Data Protection Agreement and any applicable appendices or attachments (collectively “DPA”) is between you, the client requesting the services of Veritas Intercontinental SL (“Controller”), and VERITAS INTERCONTINENTAL SL (the Processor). Controller is responsible for ensuring that any additional requirements of Applicable Privacy Laws are included in this DPA or otherwise addressed with Processor in writing, to ensure Controller is able to meet their data protection obligations under Applicable Privacy Laws. In accordance with the Spanish Agency for Data Protection’s (AEDP’s) ‘Guide for healthcare professionals’, Processor will be responsible for the processing of personal data of testing participants, derived from the clinical analyses that it carries out, and may be considered a Data Controller of certain health and genetic data it processes. This DPA applies where Veritas Intercontinental SL acts in its capacity as a Data Processor to Controller. 1. General. In performance of the Services, the Processor will Process data (including Personal Data) of or at the direction of the Controller. This DPA applies to the Controller, its affiliates (collectively, the “Controller”) and references herein to the Controller apply with equal force and effect to the Controller’s affiliates as if such affiliate had executed this DPA. 2. Definitions.“Applicable Privacy Laws” means any applicable data protection, privacy, or information security laws (including codes and regulations or other legally binding restrictions) governing Processing of the Personal Data and that are applicable to or required by (i) the Processing Location(s) identified in this DPA, (ii) the jurisdiction(s) in which the Processor or its Sub-processors are located or (iii) the jurisdiction(s) in which the Data Subjects are located.“Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.“Data Protection Authority” or “Data Protection Authorities” means the competent body (or bodies) in the relevant jurisdiction that is charged with enforcement of Applicable Privacy Laws.“Data Subject” means the identified or identifiable natural person who is the subject of Personal Data/Personal Information and is protected under Applicable Privacy Laws. “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data/Personal Information.“Order” means each mutually executed order form or statement of work for Services.“Processor” means a natural or legal person, which processes personal data on behalf of the Controller or another Processor.“Personal Data/Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated or could reasonably be linked, directly or indirectly, with a natural person (“Data Subject”) or household. Personal Data includes, but is not limited to, identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers; biometric information and genetic data; internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application. “Processing “Processes” or “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Processing Instructions” means Controllers written instructions (including but not limited to the terms contained in any Order, and this DPA) that govern the Processor’s Processing of Personal Data.“Processing Location” means the location(s) in which the Controller or any Controller Affiliate to which this DPA applies, is established, and any countries where the Processor or its Sub-processors Process Personal Data, including but not limited to the jurisdictions expressly authorized in this DPA. “Security Incident” means the Personal Data has been subject to: (A) both (i) a compromise of the systems in which Controller Personal Data has been accessed or acquired by one or more unauthorized parties or by the Processor not in compliance with this DPA; and (ii) where the risk of harm to Data Subjects merits notification to Data Subjects. For the avoidance of doubt, “a compromise of the systems” includes, but is not limited to: misuse, loss, destruction, or unauthorized access, collection, retention, storage, or transfer. “Services” means any and all services that the Processor performs or enables the Processor’s systems and technology to perform under this DPA and/or any Order.“Sub-Processor” means a third party processor engaged by a Processor who has or will have access to or process personal data from a Controller 3. Details of Personal Data Processing. The details of the Personal Data Processing (subject matter, duration, purpose, nature of processing, categories of Personal Data and Data Subjects) are contained in Annex 1. 4. Compliance. For purposes of this DPA, each Party represents and warrants that it shall comply, at all times during the term of this DPA and for as long as the Party retains the Personal Data, with all Applicable Privacy Laws. The Controller expressly warrants that it has or will obtain any legally required consents and/or notices to authorize and engage the Processor to Process Personal Data pursuant to Controller’s Processing Instructions. The Processor shall retain and Process the Personal Data no longer than is necessary to perform the Services or as long as it is required to retain and Process the Personal Data by Applicable Privacy Laws. The Processor agrees that it shall acquire no rights or interests in the Personal Data and will not use the Personal Data for any other purpose than for performance of the Services and only pursuant to Controller’s Processing instructions. The Processor shall inform the Controller in a timely manner if, in its opinion, the Controller’s Processing Instruction(s) infringes or otherwise violates Applicable Privacy Laws and if the Processor becomes aware that the Personal Data it is processing is inaccurate or has become outdated. At the Controller’s request, the Processor shall promptly cooperate with the Controller to permit the Controller to meet its obligations under Applicable Privacy Laws, including assisting the Controller with responding to requests by Data Subjects, exercising their rights under Applicable Privacy Laws. The Processor will inform the Controller immediately if it has received such a request directly from the Data Subject. The Processor shall assist the Controller with compliance with the Controller’s obligation to carry out a Data Privacy Impact Assessment including, where applicable, prior consultation with the relevant Data Protection Authority. 5. International transfers. Personal Data may be stored and Processed globally including in the EEA, by the Processor and the Processor’s sub-processors. Where the Controller wishes to transfer Personal Data to a country other than the country in which the Personal Data was first collected, the Controller shall first take such measures as are necessary to ensure that the transfer is made in compliance with Applicable Privacy Laws and that ensures the Personal Data will be protected to the standard required by Applicable Privacy Laws, by ensuring that appropriate contractual arrangements are in place with the Processor. 6. Confidentiality of processing. The Processor shall ensure that any person that it authorizes to process the Controller Personal Data knows that the Controller Personal Data is confidential information of the Controller and is subject to the confidentiality, non use, and non-disclosure obligations in this DPA. The Processor shall ensure that Process the Controller Personal Data only as necessary for the Purpose. 7. Security, Retention & Disposal. The Processor shall implement appropriate technical and organizational measures appropriate to the nature of the Controller Personal Data to protect the Controller Personal Data from a Security Incident and to preserve the security, integrity, and confidentiality of the Controller Personal Data. At a minimum, such measures shall include the measures identified at Annex 2 (the “Security Measures”). The Processor agrees to keep the Security Measures under review and update them where necessary so that they remain appropriate, provided that such updates and modifications do not result in the degradation of the overall security. The Processor shall limit access to its Personnel and Sub-processors on a need-to-know basis only. The Processor shall comply with all data retention and erasure (or destruction) requirements under this DPA. 8. Sub-processing. The Processor shall not engage Sub-processors to Process the Controller Personal Data without the Controller’s prior written consent. Notwithstanding the preceding sentence, the Controller hereby provides its general written consent to the Processor for engaging Sub-processors to Process the Controller Personal Data provided that:8.1. The Processor’s criteria for use of a Sub-processor shall require imposing data protection terms that ensure at least the same standard of protection provided under this DPA and the Processor remains liable for any breach of this DPA caused by an act, error, or omission of its Sub-processors. 8.2. The Processor’s current Sub-processors are identified at Annex 3. 9. Notification and Audit. If the Processor learns or has reason to believe that there has been a Security Incident relating to or affecting the Controller Personal Data, the Processor shall inform the Controller without undue delay. The Controller shall have the right, upon written request, to audit the Processor’s policies, procedures and practices used to maintain the privacy, security, and confidentiality of Personal Data. Unless agreed to otherwise in writing by the Parties, such audit shall consist of written questionnaires and documentation in relation thereto. Except in the circumstances of a Security Incident, the Controller’s audits pursuant to this Section shall be limited to once per rolling twelve (12) month period. 10. Order of Precedence & Further Documents. In the event of a conflict between the terms and conditions of this DPA and any Order, the terms and conditions of this DPA shall supersede any such conflicting terms. Where there is no conflict, this DPA is intended to supplement any Order(s) with respect to the subject matter hereof. 11. Miscellaneous. This DPA will remain in effect until, and automatically expire when the Processor deletes and/or procures deletion of all the Controller Personal Data Processed by the Processor. This DPA, its Annexes, and all Orders represent the entire understanding and agreement between the Parties that relate to the subject matter hereof, superseding any prior privacy and data protection terms. Except as specifically provided for in this DPA, this DPA may be amended, altered, waived, canceled or changed only by written mutual agreement signed by both Parties. Annex 1 Categories of data subjects whose Personal Data is ProcessedController’s workforce members, and Controller’s patients (i.e. individual data subject testing participants)Categories of Personal Data ProcessedPersonal Data necessary to deliver the services under the Agreement, including Personal Data such as name, date of birth, gender/sex, contact details such as address, email address, phone number, employment details if required to deliver the services.Sensitive data Processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measuresData Concerning Health (Special Category Data) and Genetic data. If required to deliver the services, race, ethnicity and information about sex life may also be Processed. Safeguards and restrictions to ensure the protection of this data are set out in this DPA and Annex 2Nature of the ProcessingHealth and Genetic Testing. Processing is being conducted in order to facilitate the performance of the Services documented in the relevant Agreement.Purpose(s) for which the Personal Data is Processed on behalf of the ControllerHealth and Genetic Testing. Processing is being conducted in order to facilitate the performance of the Services documented in the relevant Agreement.Duration of the processingThe Processing shall continue until the later of the relevant Agreement being terminated in accordance with its terms and any notice period or transition period prescribed by that Agreement having expired and Processor no longer being subject to an applicable legal or regulatory requirement to continue to store the Personal Data. Processor will retain data where it has legal basis to do so under applicable laws and regulations, including where it acts as a Data Controller. Processing shall be performed with the required frequency to test individual Data Subject Participants at request of Controller or individual Data Subject.For processing by (sub-) processors, also specify subject matter, nature and duration of the processingAs above, for the sole purpose of supporting Processor in delivery of services under this Agreement Annex 2Technical and Organizational Security Measures including technical and organisational measures to ensure the security of data Veritas Intercontinental prioritizes the privacy and security of all information we process on behalf of our customers as a Data Processor, or that we process in our capacity as a Data Controller. We are committed to complying with all applicable privacy and security laws and regulations, including the EU General Data Protection Regulation (“GDPR”), the UK Data Protection Act of 2018, and other global privacy laws. This includes maintaining a group-wide privacy and security program that is aligned to the requirements of global privacy and security laws and industry standards, where they apply to us. Technical and Organizational Measures are in place to protect the confidentiality, integrity and availability of Personal Data protected under this Agreement, including (without limitation) policies, procedures, and operational controls to ensure: Information Security Program Management Endpoint Protection Portable Media Security Mobile Device Security Wireless Security Configuration Management Vulnerability Management Network Protection Transmission Protection Password Management Access Management Audit Logging and Monitoring Education, Training & Awareness Third Party Assurance (including ensure adequate privacy and security of sub-processors) Incident Management and Response, including meeting any breach notification reporting obligations Business Continuity and Disaster Recovery Risk Management Physical and Environmental Security Topic areas that our privacy program addresses include (without limitation): Workforce Privacy Training and Workshops Privacy by Design and Default Maintaining a Record of Data Processing Activities Privacy Notice and Consent Management Performing Data Privacy Impact Assessments Third Party Risk and Contract Management Cross-border Data Transfers Review and Security Data Subject Rights Requests Program Management Incident Management and Response Programs Breach Notification Procedures Annex 3 Potential Sub-processors NameDescription of ProcessingAWSCloud Data StorageMicroso AzureCloud Data StorageFulgent GeneticsCarrier genetic testing This DPA has been pre-signed on behalf of Veritas Intercontinental SL. The Processor: VERITAS INTERCONTINENTAL SLBY: NAME: Thomas BentlyTITLE: VP Data Compliance and Privacy, DPODATE: (As per date when Controller electronically agrees to DPA)